5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39259

GHSA ID

GHSA-3r7j-8mqh-6qhx

EPSS Score

0.04772%

CWE

Published

10/20/2022

Updated

1/30/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-39259

CVE-2022-39259: Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack

Impact

Using jadx-gui to open a special zip file with entry containing HTML sequence like <html><frame> will cause interface to get stuck and throw exceptions like:

java.lang.RuntimeException: Can't build aframeset, BranchElement(frameset) 1,3
:no ROWS or COLS defined.
	at java.desktop/javax.swing.text.html.HTMLEditorKit$HTMLFactory.create(HTMLEditorKit.java:1387)
	at java.desktop/javax.swing.plaf.basic.BasicHTML$BasicHTMLViewFactory.create(BasicHTML.java:379)
	at java.desktop/javax.swing.text.CompositeView.loadChildren(CompositeView.java:112)

References

https://www.oracle.com/java/technologies/javase/seccodeguide.html

Guideline 3-7 / INJECT-7: Disable HTML display in Swing components:

Many Swing pluggable look-and-feels interpret text in certain components starting with <html> as HTML. If the text is from an untrusted source, an adversary may craft the HTML such that other components appear to be present or to perform inclusion attacks.

To disable the HTML render feature, set the "html.disable" client property of each component to Boolean.TRUE (no other Boolean true instance will do).

label.putClientProperty("html.disable", true);

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-39259

CVE-2022-39259:

5.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2022-39259

GHSA ID

GHSA-3r7j-8mqh-6qhx

EPSS Score

0.04772%

CWE

Published

10/20/2022

Updated

1/30/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.github.skylot:jadx-plugins-api	maven	<= 1.4.4	1.4.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Swing's default HTML rendering behavior in components like JLabel. The advisory explicitly references Guideline 3-7/INJECT-7 from Oracle's secure coding guidelines, which mandates disabling HTML rendering via the 'html.disable' property. The absence of this mitigation in Jadx's GUI components (evidenced by the CVE description and the 1.4.5 patch notes adding this protection) directly enables the DoS attack. While the exact file paths aren't provided in the references, the pattern matches Swing component initialization in GUI file handling modules.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-39259: Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack

Impact

References

CVE-2022-39259:

5.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-39259: Jadx-gui vulnerable to swing HTML Denial of Service (DoS) attack

Impact

References

Basic Information

Basic Information

5.5

5.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI